IRCCloud: XSS from Mastodon embeds

An XSS vulnerability was discovered in the IRCCloud web client that allowed an attacker to execute arbitrary JavaScript in the context of the web client. This was possible due to the default embedding of Mastodon toots, which could be manipulated to include a malicious javascript: URL. By trickin...

IRCCloud: [IRCCloud Android] XSS in ImageViewerActivity

Hi, I'd like to report HTML/JS injection in activity com.irccloud.android.activity.ImageViewerActivity which is exported: xml so can be launched by arbitrary apps installed on the same device. On the newest Androids could be exploited also by Android Instant Apps directly from a web-browser...

IRCCloud: [IRCCloud Android] Opening arbitrary URLs/XSS in SAMLAuthActivity

Hi, I'd like to report a bug which allow to open arbitrary URLs in com.irccloud.android.activity.SAMLAuthActivity This activity is exported: xml it means that it can be accessed by any third-party apps installed on the same device. On the newest Androids it also could be exploited by Android...

IRCCloud: Missing robots exclusion header for user uploads

User uploaded text files can be linked from external websites and end up appearing in search engine result pages if you perform a search such as: site:.irccloud-cdn.com ext:txt It's not possible to completely prevent such listings on all search engines, but some search crawlers support the...

IRCCloud: Cross Site Scripting(XSS) on IRCCloud Badges Page (using Parameter Pollution)

I. Vulnerability --------------------- IRCCloud is affected by Cross Site Scripting vulnerability in its badges page. www.irccloud.com/badges II. Description --------------------- IRCCloud is open to parameter pollution attacks ie. a parameter passed more than once with different values results i...

IRCCloud - Customized SSL, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application IRCCloud published at the 'play' market has multiple vulnerabilities...

IRCCloud: Inadequate input validation on API endpoint leading to self denial of service and increased system load.

Summary A security researcher discovered an API payload that would send invalid data to their own user process, which would repeatedly fail to be handled correctly. This error handling loop prevented further access to their user account. Details The payload was a JSON object containing an empty...

IRCCloud: Email verification links still valid after changing it 2x

When creating a new account on IRCCloud.com the user is asked to confirm his email address. The email verification link is formatted in the following way: ircloud.com/verify-emai/userid/emailaddress/hashvalue. If the user decides to change his email address before he confirmed it, a new...

IRCCloud: Unvalidated Channel names causes IRC Command Injection

IRCCloud does not validate the channel names created by a user causing it to be parsed as an IRC command such as QUIT. This means the user can have their clients force-closed by a malicious channel name. This could also lead to other command injections such as forcing the handover of channels to...

IRCCloud: Bruteforce protection not enabled on the login page https://www.irccloud.com/

Hi, Team. I found that bruteforce protection is not enabled on the login page of https://www.irccloud.com/ . I tried a lot but didn't get any type of capcha or ratelimiting. Thanks and regards Mohd Haji...

IRCCloud: Reflected XSS in Pastebin-view

The paste ID passed in via the URL in the Pastebin-view is inserted between tags unsanitised. This leads to reflected XSS that bypasses all major XSS protection software Chrome, IE.... Normal request: https://www.irccloud.com/pastebin/nhm4f6pB Proof-of-concept:...

IRCCloud: Missing Character Restriction

In the team adding page , the team name has no restrictions in the input field. In the poc i have named the team as !@$%^& which is fully of symbols...

IRCCloud: Password type input with auto-complete enabled

Vulnerability description : When a new name and password is entered in a form and the form is submitted, the browser asks if the password should be saved. Thereafter when the form is displayed, the name and password are filled in automatically or are completed as the name is entered. An attacker...

IRCCloud: Login CSRF can be bypassed (Similar approach to previous one).

The login CSRF protection currently implemented is not adequate and can be bypassed pretty easily. An attacker can easily obtain a CSRF token from the server by initiating the following request: POST /chat/auth-formtoken HTTP/1.1 Host: www.irccloud.com User-Agent: Mozilla/5.0 Windows NT 6.1; WOW6...

IRCCloud: Log Out Cross site Request Forgery

...

IRCCloud: Dangerous Persistent xss

If a person is an op in a channel, it is possible to make all the users inside the irc channel execute javascript code. Steps to repoduce: 1.Go to a random channel where you are op. 2.Enter the following command: /ban alert2 3.The script will execute an alert box containing 2 in all the browsers ...

IRCCloud: Unwanted Spamming Using CSRF [LOGGED IN USER]

ALL DETAILS INCLUDING FIX IS IN VIDEO...

IRCCloud: Host Header is not validated resulting in Open Redirect

Please see the attached screenshot where I am sending a request to irccloud.com with an invalid HOST header and I am getting redirected to that domain. This is because the HOST header is not validated to ensure that the request is originating from that target host or not...

IRCCloud: Persistent Cross Site Scripting within the IRCCloud Pastebin

The HTML within a paste does not get correctly sanitized after an initial new line. So the following code gets executed: \r\nalert1; https://www.irccloud.com/pastebin/FADYQPrO...

IRCCloud: CSRF to Account Take Over Bug

Hello Sir This is N B Sri Harsha I Have Found An CSRF to Account take over bug effected url :- https://www.irccloud.com/chat/user-settings I have wrote an html code and uploaded it , please check that out u have to fill email address , there , and click on update settings U will get output as...